1 / 57

IT and the Auditor – The Sequel

Depression Era Tactics for IT Are you Tough Enough?. IT and the Auditor – The Sequel. Introduction. What is IT? What is audit? What you will learn Let’s Introduce ourselves. Agenda. Introduction IT Management Overview Audit Management Overview What do we have in common? Strategies

vevay
Download Presentation

IT and the Auditor – The Sequel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Depression Era Tactics for ITAre you Tough Enough? IT and the Auditor – The Sequel

  2. Introduction • What is IT? • What is audit? • What you will learn • Let’s Introduce ourselves GA GMIS Spring 2009 Conference

  3. Agenda • Introduction • IT Management Overview • Audit Management Overview • What do we have in common? • Strategies • Closing GA GMIS Spring 2009 Conference

  4. Overview • IT • Auditors defined • Relationship • Risk as a common ground • KPI • Results GA GMIS Spring 2009 Conference

  5. Vocabulary • Accountability • The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. • Assurance • Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass. • Availability • The security goal that generates the requirement for protection against— Intentional or accidental attempts to (1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data Unauthorized use of system resources. • Confidentiality • The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit. • Denial of Service • The prevention of authorized access to resources or the delaying of time critical The prevention of authorized access to resources or the delaying of time critical operations. • Due Care • Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed. • Integrity • The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation). GA GMIS Spring 2009 Conference

  6. Vocabulary Continued • Risk • Within this presentation, synonymous with IT-Related Risk. • Risk Assessment • The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis. • Risk Management • The total process of identifying, controlling, and mitigating information system–related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws. • Security • Information system security is a system characteristic and a set of mechanisms that span the system both logically and physically. • Security Goals • The five security goals are integrity, availability, confidentiality, accountability, and assurance. • Threat • The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. • Threat-source • Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability. • Threat Analysis • The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment. • Vulnerability • A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. GA GMIS Spring 2009 Conference

  7. Vocabulary Continued • IT Related Risk • The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to— • 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information • 2. Unintentional errors and omissions • 3. IT disruptions due to natural or man-made disasters • 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. GA GMIS Spring 2009 Conference

  8. IT Defined GA GMIS Spring 2009 Conference

  9. Audit Supports GA GMIS Spring 2009 Conference

  10. Auditor and IT – Converging! GA GMIS Spring 2009 Conference

  11. Qualities of a good auditor! GA GMIS Spring 2009 Conference

  12. Compare the qualities of an Auditor to a CIO • Auditor vs CIO GA GMIS Spring 2009 Conference

  13. Compare Internal and External Auditor • Internal Auditor versus External Auditor GA GMIS Spring 2009 Conference

  14. Establishing and maintaining a positive relationship with Auditor! • It starts with the request for information • This should be your opportunity to highlight your well run IT organization • Provide them all the information they need and get them out the door or back in another department • Type of Audit/Auditor • Internal • External (Annual) • Federal • Was it planned or provoked? GA GMIS Spring 2009 Conference

  15. Auditor’s Request for IT information • Document1 18 pages • 200 elements requiring a response • Range of questions • Risk assessment and monitoring • Program Development and Implementation • Analysis and Design – Testing and QA • Data Conversion –Go Live • Documentation and Training • Change Management – Security Policy • Security (Apps, Network, Physical) • Business Continuity GA GMIS Spring 2009 Conference

  16. IT Budget and the auditor • The auditor could provide the support you need for additional resources • Answer questions honestly and completely GA GMIS Spring 2009 Conference

  17. Auditor’s Hot buttons – concept of least privileges! GA GMIS Spring 2009 Conference

  18. IT Charter/Project Charter GA GMIS Spring 2009 Conference

  19. Application Environments GA GMIS Spring 2009 Conference

  20. What is an Auditable IT Org? GA GMIS Spring 2009 Conference

  21. A Great IT Org! GA GMIS Spring 2009 Conference

  22. Security Concern GA GMIS Spring 2009 Conference

  23. IT Steering Team • Secure membership for the Auditor • If the Organization does not have an internal auditor – a qualified member of the organization should fulfill this role on the Team • Lean on the Auditor for help in setting the standards for RISK ANALYSIS • Maintain formal documentation in all meetings • Share written minutes with all members of the team GA GMIS Spring 2009 Conference

  24. Definition of Uncertainty and Risk • What is risk? GA GMIS Spring 2009 Conference

  25. Definition of Uncertainty and Risk • What is risk? • It is really the measurement of uncertainty. GA GMIS Spring 2009 Conference

  26. Definition of Uncertainty and Risk • What is uncertainty? • It is the lack of sureness about an outcome, ranging from just short of certainty to almost complete lack of knowledge about and outcome. GA GMIS Spring 2009 Conference

  27. Aspects of Risk • Risk event • Risk as an opportunity • Risk as a threat GA GMIS Spring 2009 Conference

  28. What is your manager’s tolerance for Risk? GA GMIS Spring 2009 Conference

  29. Issues or Risks? GA GMIS Spring 2009 Conference

  30. What is your manager’s tolerance for Risk? GA GMIS Spring 2009 Conference

  31. General Risk Management Strategy GA GMIS Spring 2009 Conference

  32. Risk Mitigation • Residual Risk Reduce Number of flaws or errors Residual Risk Add a targeted control New or Enhanced Controls Reduce Magnitude of Impact GA GMIS Spring 2009 Conference

  33. Risk Management • Importance of Risk Management • Integration of Risk Management into the SDLC • Key Roles • Risk Ownership GA GMIS Spring 2009 Conference

  34. Risk Management • Importance of Risk Management • Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk. • An effective risk management process is an important component of a successful IT security program. • The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. • Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization. GA GMIS Spring 2009 Conference

  35. Risk Management • Integration of Risk Management into the SDLC GA GMIS Spring 2009 Conference

  36. Risk Management • Integration of Risk Management into the SDLC GA GMIS Spring 2009 Conference

  37. Risk Management • Key Roles • Senior Management • Chief Information Officer (CIO) • Systems and Information Owners • Business and Functional Managers • Internal auditor • IT Security Practitioners GA GMIS Spring 2009 Conference

  38. Risk Assessment • System Characterization • Threat Identification • Vulnerability Identification • Control Analysis • Likelihood Determination • Impact Analysis • Risk Determination • Control Recommendations • Results Documentation GA GMIS Spring 2009 Conference

  39. Risk Assessment Activities • System Characterization GA GMIS Spring 2009 Conference

  40. Risk Assessment Activities • System Characterization • Establish the Scope of effort • Define the authorization boundaries • Provide the information essential to risk definition (input) GA GMIS Spring 2009 Conference

  41. Information Gathering GA GMIS Spring 2009 Conference

  42. Risk Assessment Activities • System Characterization • System related information • Input • Additional input • IT Systems Functional requirements • System Knowledge workers • Current Security policy • System security architecture • Network Topology – diagrams • Information storage info • Information flow • Controls (technical, management and operational) • Physical and Environmental security) GA GMIS Spring 2009 Conference

  43. Risk Assessment Activities • Human Threats: Threat-Source, Motivation, and Threat ActionsThreat-Source Motivation Threat Actions GA GMIS Spring 2009 Conference

  44. Risk Assessment Activities • Human Threats: Threat-Source, Motivation, and Threat Actions Threat-Source Motivation Threat Actions - Cont GA GMIS Spring 2009 Conference

  45. Risk Assessment Activities • Vulnerability Identification • Vulnerability/Threat GA GMIS Spring 2009 Conference

  46. Risk Assessment Activities • Vulnerability Identification • Development of Security Requirements Checklist (Security Criteria) GA GMIS Spring 2009 Conference

  47. Risk Assessment Activities • Vulnerability Identification • Development of Security Requirements Checklist (Security Criteria) GA GMIS Spring 2009 Conference

  48. Risk Assessment Activities • Vulnerability Identification • Development of Security Requirements Checklist (Security Criteria) GA GMIS Spring 2009 Conference

  49. Risk Mitigation • Risk Mitigation Options • Risk Mitigation Strategies • Approach for Control Implementation • Control Categories • Cost-Benefit Analysis • Residual Risk GA GMIS Spring 2009 Conference

  50. Risk Mitigation • Residual Risk Reduce Number of flaws or errors Residual Risk Add a targeted control New or Enhanced Controls Reduce Magnitude of Impact GA GMIS Spring 2009 Conference

More Related